Hi, I’ve recently started working with Istio and stumbled on something I don’t understand. When trying out the connectionPool setting for DestinationRule resources and disallowing more than one connection at a time, I assumed that requests that arrive after the limit is reached will wait for their turn, and then succeed (given they don’t time out before).
I tested this using a ServiceEntry to access httpbin.org, curling its /delay/<int> endpoint which returns after x seconds from two pods inside the cluster. I used a 7 second and a 3 second delay respectively, starting the request that takes 7 seconds first. What I expected was that the second request, even though started at almost the same time as the first, would only return after 10 seconds since it had to wait for a slot in the pool - however, it returned after 3 seconds already.
Trying the same thing against an in-cluster deployment of the httpbin server achieves the result I expected. Any idea what could be affecting the connection limiting? Here’s the broken configuration:
External httpbin service entry:
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: httpbin-service-entry
namespace: default
spec:
hosts:
- httpbin.org
location: MESH_EXTERNAL
ports:
- number: 80
name: http
protocol: HTTP
resolution: DNS
Destination rule for connection limiting:
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: httpbin-connection-limit
namespace: default
spec:
host: httpbin.org
trafficPolicy:
connectionPool:
tcp:
maxConnections: 1
connectTimeout: 10s
http:
maxRequestsPerConnection: 1
Deploying a K8S service and deployment using the kennethreitz/httpbin Docker image for httpbin and then setting the host in the DestinationRule to the FQDN of the K8S service makes it work. Why?